If you are planning to do decryption then you MUST enable the HTTPS proxy. If you do not plan to do decryption then you don't have to enable it but do not redirect port 443 to the WSA if the HTTPS proxy is not enabled.
Thank you for your response ,would you please describe the side effects of redirecting port 443 to WSA if https is not enabled ? we are planning to set the WSA in transparent mode as I have read in the user guide that the transparent can accept both explicitly forwarded and transparent requests. My concern is that i have some users working on Citrix server with cookie-based surrogate and some other fat clients. The guide stated that there are problems in using cookie-based and transparent,appreciate your help as I am not much that familiar with WSA
How can I configure my policies so it works for both fat clients and Citrix server users??
As with any TCP device it has to listen on a port for connections to accept the socket. If you do not enable HTTPS proxy then we do not listen on port 443 for connections so any connection redirected to the proxy on port 443 will simply fail when using transparent mode. In explicit mode the browser is told to send HTTPS traffic to the proxy on the proxy port 80, 3128, 8080 etc. so the proxy is listening on that specific port for any traffic. The same would happen to HTTP traffic if you redirect traffic to the proxy on port 9999 but didn't configure the proxy to accept traffic on port 9999.
Depending on the version of WSA code you are running you can set the surrogate type in the Access Policy. Not being familair with your network I would say if you have Citrix servers then create an identity for the servers based on IP address and authentication and set the surrogate to session based cookies.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...